Maybe package managers, I’m thinking of something like go get here,
could work like this:
Writing a package were easy and you could just publish a random
repo anywhere.
End users and admins could pull packages from any of those rando
stranger’s repo but updates weren’t pushed out.
Package writers could alert the package manager app team for
serious security updates.
The manager team would vet the fixed version, and if it was a false
alarm would send out a message “don’t trust this package, they
misuse the security update system” and if it was a real fix they’d
send out a message telling you to update and giving you a way to
optionally press “yes” right there and get their vetted version.
(Or if it seems like an honest false alarm as opposed to a
malicious one, just do nothing.)
In other words, when it’s business as normal, your everyday feature
creep and bug fixes, it’s not centralized and there’s zero hoops to
publish a package and install a package straight from the repo. When
there’s danger, it is centralized and the package manager itself
takes over and that team decides whether to alert or not alert.
